In recent years, the reliance on artificial intelligence (AI) chatbots has increased more than anyone had anticipated. AI chatbots have become a part of our daily lives. From asking basic questions to sharing our deepest, darkest secrets, our chat pals know us better than anyone other human does. However, is our personal data really safe in the hands of these multi-billion-dollar tech giants owned Large Language Models (LLMs)?
These AI programs are usually stored on huge servers. These LLMs are constantly keeping a record of every conversation. In the world of free services on the internet, where users often turn into products, the fear of one's personal data being mishandled is a completely valid concern.
An investigation report by KOI has revealed alarming results. They used Wings, an agentic-AI risk engine. They were looking into browser extensions for capabilities to read and extract conversations between the user and AI chatbots.
During the investigation, they came across a 4.7-star-rated Chrome extension with a user base of more than 6 million. According to the report, the browser extension has been found to have individual execution codes for different AI chatbots like ChatGPT, Claude, Gemini and many more. These embedded codes are capable of extracting user conversations and sending them to be stored on the server.
The report also suggests that this is not the only extension that comes with these kinds of codes hidden inside.
Your sensitive data is out there
These extensions inject an extraction code based on the AI site one is visiting. For example, if someone is visiting Gemini, then the extension will inject a specific code for that. The same happens with other platforms.
From there, the script gets to work, intercepting the responses, extracting the data from the conversation. Such as prompts, the AI's responses, timestamps, and conversation IDs.
Then the data is hidden in a regular packet, sent to the extension's background service worker, which then compresses and transfers it to the extension's servers, as per the KOI report.
You were warned before
The report also highlighted that the said extension already mentions how they handle the user data and in their privacy policy agreement. However actual privacy policy is "buried deep in the document."
They agreement mentions that it accesses the user's "AI Inputs and Outputs. As part of the Browsing Data, we will collect the prompts and outputs queried by the End-User or generated by the AI chat provider, as applicable.’ And: ‘We also disclose the AI prompts for marketing analytics purposes."
KOI suggests the uninstallation of any extensions right away. As they might have been harvesting users' personal data and sharing it with third parties. The specific extension that's being talked about here is Urban VPN Proxy. Some other extensions found similar scripts are - 1ClickVPN Proxy, Urban Browser Guard, Urban Ad Blocker. All of these have a combined user base of over 8 million.
